Considering OpenJDK? There are some OpenJDK vulnerabilities that you should be aware of. Learn how you can avoid these issues in this Java security update.
Being security-focused is a good place to start when choosing to adopt OpenJDK. Like all open source software, it’s not perfect and can be prone to issues. The following are some noteworthy concerns about certain versions to be avoided.
Here are two recent and related OpenJDK vulnerabilities:
CVE-2020-2803 affects 7u251, 87241, 11.0.6, and version 14 of OpenJDK. This one is difficult to exploit. But it allows unauthenticated attackers with network access via multiple protocols to compromise Java SE. For the attack to be successful, additional human interaction other than that of the attacker is required within Java SE. However, if successful, the attack may impact additional products.
The typical target of this attack is:
Servers that run only trusted code are unaffected by this vulnerability. CVE gave this a score of 8.3.
Earlier in 2020, there was another vulnerability with the same description. CVE-2020-2604 rated at 8.1.
[Forrester Report] Still Deciding on OpenJDK?Find out what the Forrester analysts have to say about using OpenJDK as an alternative to Oracle.Get the Report
Find out what the Forrester analysts have to say about using OpenJDK as an alternative to Oracle.
Get the Report
Here's a Java security update on issues affecting older versions of OpenJDK:
While these examples are for older versions of Java, we still see people using these versions.
CVE-2014-0462 and CVE-2014-2405 affect versions of OpenJDK 6 before 6b31 on Ubuntu and Debian12.04 LTS and 10.04 LTS. The unknown impact and attack vectors that were severe enough receive a CVS scores of 10.
CVE-2014-2483 and CVE-2014-4223 affect 7u60 of OpenJDK 7. This results in total information disclosure revealing all system files. The total loss of integrity compromises system protection entirely. This scored a hefty 9.3.
Like so many other types of open source software, keeping your software up to date is the best practice to prevent your OpenJDK applications from becoming exposed. This sometimes is easier said than done in a production environment. And sometimes a patch is put out. But by keeping up to date, you’re keeping the structural integrity of your application in order.
Staying informed on CVE’s with OpenJDK is also easy as they have a security bulletin. While there, you can also sign up for a mailing list for security vulnerabilities. With such an active and robust community online, all the resources you could ever need for OpenJDK are right at your fingertips.
Are you looking for Enterprise Architects with Java expertise? The team at OpenLogic by Perforce is here to help. Our passionate, experienced Enterprise Architects provide end-to-end services for OpenJDK. They'll help you confidently gain the freedom and savings that come with using open source software. Learn more about open source Java services and support.
With OpenLogic, you can trust you'll be working with an experienced architect with a wealth of experience solving complex challenges in Java environments. Connect with one of our open source architects to get answers to your questions and to learn more about our OpenJDK support, innovation, migration, and training!
TALK TO AN OPENJDK EXPERT
Associate Enterprise Architect, OpenLogic by Perforce
Andrew's areas of specialization include networking, Linux, network security including OpenSSL, and operational troubleshooting. He has been working in the industry for three years and is acquiring new skills every day.